我需要将我的cloudwatch日志发送到日志分析服务。
我已经阅读了here和here这两篇文章,并手把手地让它工作,不用担心。
现在,我正在尝试使用Terraform自动化所有这些操作(角色/策略、安全组、cloudwatch日志组、lambda以及从日志组触发lambda )。
但是我不知道如何使用TF来配置AWS来触发cloudwatch日志中的lambda。
我可以通过执行以下操作将两个TF资源手动链接在一起(在Lambda web控制台UI中):
进入lambda函数的"Triggers“部分,然后单击"Add Trigger"
的日志组输入筛选器名称<
完成后,lambda将显示在cloudwatch日志控制台的订阅列中-显示为"Lambda (cloudwatch-sumologic-lambda)“。
我尝试使用以下TF资源创建订阅:
resource "aws_cloudwatch_log_subscription_filter" "cloudwatch-sumologic-lambda-subscription" {
name = "cloudwatch-sumologic-lambda-subscription"
role_arn = "${aws_iam_role.jordi-waf-cloudwatch-lambda-role.arn}"
log_group_name = "${aws_cloudwatch_log_group.jordi-waf-int-app-loggroup.name}"
filter_pattern = "logtype test"
destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
}
但失败的原因是:
aws_cloudwatch_log_subscription_filter.cloudwatch-sumologic-lambda-subscription: InvalidParameterException:供应商lambda的destinationArn不能与roleArn一起使用
我发现this answer关于为预定事件设置类似的东西,但这似乎不等同于我上面描述的控制台操作(控制台UI方法不会创建我可以看到的事件/规则)。
谁能给我指点一下我做错了什么?
发布于 2016-07-18 12:57:23
我错误地定义了aws_cloudwatch_log_subscription_filter
资源-在这种情况下,您不应该提供role_arn
参数。
您还需要添加一个aws_lambda_permission
资源(在筛选器上定义了depends_on
关系,否则TF可能会以错误的顺序进行添加)。
请注意,AWS lambda控制台UI会以不可见的方式为您添加lambda权限,因此请注意,如果您之前在控制台UI中执行过相同的操作,则aws_cloudwatch_log_subscription_filter
将在没有权限资源的情况下工作。
必要的TF配置如下所示(最后两个资源是配置实际cloudwatch->lambda
触发器的相关资源):
// intended for application logs (access logs, modsec, etc.)
resource "aws_cloudwatch_log_group" "test-app-loggroup" {
name = "test-app"
retention_in_days = 90
}
resource "aws_security_group" "cloudwatch-sumologic-lambda-sg" {
name = "cloudwatch-sumologic-lambda-sg"
tags {
Name = "cloudwatch-sumologic-lambda-sg"
}
description = "Security group for lambda to move logs from CWL to SumoLogic"
vpc_id = "${aws_vpc.dev-vpc.id}"
}
resource "aws_security_group_rule" "https-egress-cloudwatch-sumologic-to-internet" {
type = "egress"
from_port = 443
to_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.cloudwatch-sumologic-lambda-sg.id}"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_iam_role" "test-cloudwatch-lambda-role" {
name = "test-cloudwatch-lambda-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "test-cloudwatch-lambda-policy" {
name = "test-cloudwatch-lambda-policy"
role = "${aws_iam_role.test-cloudwatch-lambda-role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CopiedFromTemplateAWSLambdaVPCAccessExecutionRole1",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "CopiedFromTemplateAWSLambdaVPCAccessExecutionRole2",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:ap-southeast-2:${var.dev_vpc_account_id}:network-interface/*"
},
{
"Sid": "CopiedFromTemplateAWSLambdaBasicExecutionRole1",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:ap-southeast-2:${var.dev_vpc_account_id}:*"
},
{
"Sid": "CopiedFromTemplateAWSLambdaBasicExecutionRole2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:ap-southeast-2:${var.dev_vpc_account_id}:log-group:/aws/lambda/*"
]
},
{
"Sid": "CopiedFromTemplateAWSLambdaAMIExecutionRole",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_lambda_function" "cloudwatch-sumologic-lambda" {
function_name = "cloudwatch-sumologic-lambda"
filename = "${var.lambda_dir}/cloudwatchSumologicLambda.zip"
source_code_hash = "${base64sha256(file("${var.lambda_dir}/cloudwatchSumologicLambda.zip"))}"
handler = "cloudwatchSumologic.handler"
role = "${aws_iam_role.test-cloudwatch-lambda-role.arn}"
memory_size = "128"
runtime = "nodejs4.3"
// set low because I'm concerned about cost-blowout in the case of mis-configuration
timeout = "15"
vpc_config = {
subnet_ids = ["${aws_subnet.dev-private-subnet.id}"]
security_group_ids = ["${aws_security_group.cloudwatch-sumologic-lambda-sg.id}"]
}
}
resource "aws_lambda_permission" "test-app-allow-cloudwatch" {
statement_id = "test-app-allow-cloudwatch"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
principal = "logs.ap-southeast-2.amazonaws.com"
source_arn = "${aws_cloudwatch_log_group.test-app-loggroup.arn}"
}
resource "aws_cloudwatch_log_subscription_filter" "test-app-cloudwatch-sumologic-lambda-subscription" {
depends_on = ["aws_lambda_permission.test-app-allow-cloudwatch"]
name = "cloudwatch-sumologic-lambda-subscription"
log_group_name = "${aws_cloudwatch_log_group.test-app-loggroup.name}"
filter_pattern = ""
destination_arn = "${aws_lambda_function.cloudwatch-sumologic-lambda.arn}"
}
编辑:请注意,上面的TF代码是几年前使用0.11.x
版本编写的-它应该仍然可以工作,但可能有更好的方法。具体地说,除非需要,否则不要使用这样的内联策略,而是使用aws_iam_policy_document -随着时间的推移,它们更容易维护。
发布于 2020-08-13 04:49:35
在使用Terraform v0.12.29
和亚马逊网络服务提供商v3.1.0
时,我遇到了一个奇怪的问题,这花费了我几个小时的调试时间。
为了节省其他人的宝贵时间,我将分享它,作为对公认答案的补充。
云监控日志组arn的值
${aws_cloudwatch_log_group.test-app-loggroup.arn}
的插值不正确-在输出的末尾缺少一个。
这会导致以下错误:
创建{ the -can
}时出错: InvalidCloudWatchLogsLogGroupArnException:请检查日志组ARN:{the-can service}无法验证它。
添加:*
后缀解决了这个问题:
source_arn = "${aws_cloudwatch_log_group.test-app-loggroup.arn}:*" #<----Notice the :* postfix
https://stackoverflow.com/questions/38407660
复制相似问题